b"OFFICE OF INSPECTOR GENERAL\n\n            Audit Report\nEvaluation of the Railroad Retirement Board\nMedicare Contractor\xe2\x80\x99s Information Security\n\n\n             Report No. 08-04\n            September 26, 2008\n\n\n\n\n RAILROAD RETIREMENT BOARD\n\x0c                                    INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\nthe Railroad Retirement Board (RRB) Medicare contractor\xe2\x80\x99s information security.\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid over $9.8 billion in benefits during fiscal year\n(FY) 2007. The RRB is headquartered in Chicago, Illinois and has 53 Field Offices\nacross the nation.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand six major application systems, one of which is the administration of Medicare\nentitlement. Each system has been designated as a moderate impact system in\naccordance with standards and guidance promulgated by the National Institute of\nStandards and Technology (NIST).\n\nThe RRB\xe2\x80\x99s Medicare program provides health insurance to persons ages 65 and older,\nas well as certain other persons under age 65 who are entitled to monthly benefits\nbased on total disability. The RRB enrolls railroad beneficiaries for Medicare coverage,\ncollects for Part B supplemental medical insurance, and oversees a nationwide contract\nfor the processing of Part B claims. As of the end of fiscal year 2007, approximately\n503,400 persons were enrolled in Medicare Part A, and about 487,400 of them were\nalso enrolled in Part B. The RRB\xe2\x80\x99s Medicare contractor for Part B claims made\npayments totaling $897 million in fiscal year 2007.\n\nThis evaluation was conducted pursuant to Title III of the E-Government Act of 2002,\nthe Federal Information Security Management Act of 2002 (FISMA), which requires\nannual agency program reviews, Inspector General security evaluations, an annual\nagency report to the Office of Management and Budget (OMB), and an annual OMB\nreport to Congress. FISMA also establishes minimum requirements for the\nmanagement of information security in nine areas.\n\n     \xc2\xbe   Risk Assessment\n     \xc2\xbe   Policies and Procedures\n     \xc2\xbe   Testing and Evaluation\n     \xc2\xbe   Training\n     \xc2\xbe   Security Plans\n     \xc2\xbe   Remedial Action Process\n     \xc2\xbe   Incident Handling and Reporting\n     \xc2\xbe   Continuity of Operations\n     \xc2\xbe   Inventory of Systems\n\n\n                                            1\n\x0cInformation security means protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\nprovide confidentiality, integrity, and availability. The agency\xe2\x80\x99s information security\nprogram includes information systems provided by contractors. The RRB\xe2\x80\x99s Medicare\ncontractor has stated that their entity-wide systems security program has been\nimplemented, documented, approved and monitored in accordance with methodologies\nand requirements established by the Centers for Medicare and Medicaid Services\n(CMS), the cognizant Federal agency.\n\nThe Bureau of Information Services (BIS), under the direction of the Chief Information\nOfficer is responsible for the RRB\xe2\x80\x99s information security and privacy programs. The\nOffice of Programs is responsible for the Medicare major application, including oversight\nof its contractor operations.\n\n\nObjective, Scope and Methodology\n\nThis evaluation was performed to meet FISMA requirements for an annual OIG\nevaluation of information security for an RRB contractor operation during FY 2008. Our\nevaluation consisted of examining documents prepared by the RRB\xe2\x80\x99s Medicare\ncontractor to support FISMA compliance in accordance with NIST guidance, including\nthe design of FISMA required controls. These documents are provided to the RRB to\nsupport the RRB\xe2\x80\x99s oversight role for the RRB Medicare program, including FISMA\ncompliance. Our evaluation did not include an assessment of whether the controls\nlisted in any of the documents were operating or effective, nor did we evaluate the\ndocuments to determine compliance with CMS methodologies and requirements.\n\nIn addition to examining the above-referenced documents, we assessed whether a\nweb-based component application recently implemented by the RRB in January 2008,\nfor use by the Medicare contractor, adequately addressed authentication and privacy\nrisks in accordance with OMB requirements. 1 This component application allows\nemployees of the Medicare contractor to report specific transactions to the RRB for\nupdating various RRB information systems.\n\nThe primary criteria for this evaluation included:\n\n    \xe2\x80\xa2   FISMA requirements;\n    \xe2\x80\xa2   OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources\xe2\x80\x9d;\n    \xe2\x80\xa2   OMB memoranda; and\n    \xe2\x80\xa2   NIST standards and guidance.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\n1\n Authentication is the process in which the identity of a user is verified, often as a prerequisite to allowing\naccess to resources in an information system.\n\n\n                                                      2\n\x0csufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives. Fieldwork was conducted at RRB headquarters in Chicago, Illinois from May\nthrough September 2008.\n\n\n\n\n                                         3\n\x0c                               RESULTS OF EVALUATION\n\nThe Office of Programs has received a level of information from their Medicare\ncontractor that would facilitate their oversight role for the RRB\xe2\x80\x99s Medicare program,\nincluding FISMA compliance. However, some improvement is needed in ensuring\nrisk-based assessments for the RRB\xe2\x80\x99s information security and privacy program.\n\nThe details of our review, including recommendations for corrective action, follow.\nAgency management has agreed to take the recommended corrective actions for all\nrecommendations. The full text of management\xe2\x80\x99s responses is included in this report as\nAppendix I.\n\nFISMA Related Documentation\n\nThe RRB\xe2\x80\x99s Medicare contractor has provided RRB management with documentation to\nsupport compliance with certain FISMA requirements. RRB management provided us\nwith copies of the following FISMA related documents:\n\n   \xe2\x80\xa2   system security plan,\n   \xe2\x80\xa2   risk assessment,\n   \xe2\x80\xa2   self-assessment, and\n   \xe2\x80\xa2   Plan of Actions and Milestones (POAM).\n\nCMS is the primary recipient of these materials because they are the cognizant Federal\nagency for FISMA compliance with respect to Medicare contractors. Our assessment\nincluded a comparison of these documents with applicable NIST guidance for general\nform and content.\n\nSystem Security Plan\n\nOur evaluation of the system security plan using NIST SP 800-18, \xe2\x80\x9cGuide for\nDeveloping Security Plans for Federal Information Systems\xe2\x80\x9d showed that while the plan\ncontained extensive control descriptions, it did not list the individual controls specified in\nNIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems.\xe2\x80\x9d\nWe also observed that the plan did not specify which of the individual controls were\n\xe2\x80\x9ccommon.\xe2\x80\x9d A common control is generally managed by an organizational entity other\nthan the information system owner and is shared by multiple system owners. The\nsystem security plan presents a background of the program that implies multiple\norganizational entities which suggests common controls may be applicable.\n\nRisk Assessment\n\nWe evaluated the risk assessment using NIST SP 800-30, \xe2\x80\x9cRisk Management Guide for\nInformation Technology Systems\xe2\x80\x9d and observed that the document follows a NIST\ncompliant methodology. We noted, however, that the control recommendations that are\nrequired by NIST are only referenced in the document and not presented individually.\n\n\n                                              4\n\x0cAdditionally, the risk assessment document does not reflect whether or not CMS\nmanagement or auditors recommended controls that would mitigate the risks to an\nacceptable level, and that those recommended controls were implemented by the\nMedicare contractor.\n\nSelf-Assessment\n\nThe Medicare contractor\xe2\x80\x99s self-assessment is well documented and directly references\nthe individual controls from NIST SP 800-53 and well as other directives such as the\nHealth Insurance Portability and Accountability Act and the Government Accountability\nOffice Federal Information System Controls Audit Manual.\n\nPlan of Actions and Milestones\n\nWe evaluated the POAM using criteria established by OMB. POAM instructions are\nhighlighted by OMB each year in their annual FISMA reporting instructions. Detailed\nPOAM data elements required by OMB are provided in OMB M-04-25, \xe2\x80\x9cFY 2004\nReporting Instructions for the Federal Information Security Management Act.\xe2\x80\x9d While\nPOAMs are no longer required to follow the exact format shown in the above referenced\nguidance, all of the data elements must still be included. 2 We observed that the POAM\ngenerally complies with OMB guidance. However, we did note that some milestone\ncompletion information was not consistently provided within the POAM. Additionally, we\ndid not find any overall status information regarding the state of weakness correction\nsuch as \xe2\x80\x9congoing\xe2\x80\x9d or \xe2\x80\x9ccompleted\xe2\x80\x9d.\n\n\nE-Authentication Risk Assessment\n\nAn E-Authentication Risk Assessment was not prepared before a newly developed RRB\nweb-based application was implemented. NIST defines electronic authentication\n(e-authentication) as \xe2\x80\x9cthe process of establishing confidence in user identities\nelectronically presented to an information system.\xe2\x80\x9d\n\nOMB M-04-04, \xe2\x80\x9cE-Authentication Guidance for Federal Agencies,\xe2\x80\x9d provides agencies\nwith the guidance for determining the level of e-authentication assurance required for\nspecific applications and transactions, based on the risks and their likelihood of\noccurrence. OMB M-08-21, \xe2\x80\x9cFY 2008 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management,\xe2\x80\x9d defines an\ne-authentication application as an application that:\n\n    \xe2\x80\xa2   is web-based;\n    \xe2\x80\xa2   requires authentication; and\n    \xe2\x80\xa2   extends beyond the borders of the agency\xe2\x80\x99s enterprise (e.g. multi-agency,\n        government-wide, or public facing).\n2\n  Since this review was for a contractor operation, we did not consider the data element which estimates\nthe Federal budget funding resources required to address any weaknesses identified in the POAM.\n\n\n                                                    5\n\x0cIn January 2008, the RRB implemented a web-based component application for use by\nthe Medicare contractor. This component application allows employees of the Medicare\ncontractor to report specific transactions to the RRB for updating various RRB\ninformation systems. This application meets the e-authentication criteria established in\nOMB M-08-21.\n\nRRB management did not ensure that the E-Authentication Risk Assessment was\nprepared in accordance with OMB guidance. As a result, the RRB cannot provide\nassurance that the risks associated with improper authentication methods are\naddressed in the new application.\n\nRecommendation\n\n    1. We recommend that the Office of Programs prepare an E-Authentication Risk\n       Assessment for the newly implemented application.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs has agreed, and will complete an assessment.\n\nPrivacy Impact Assessment\n\nA privacy impact assessment was not prepared before a newly developed RRB web-\nbased application was implemented. A privacy impact assessment is an analysis of\nhow information is handled to ensure the handling conforms with legal, regulatory, and\npolicy requirements regarding privacy. A privacy impact assessment is essentially a\nrisk assessment of the practices involving privacy-related information.\n\nOMB M-03-22, \xe2\x80\x9cOMB Guidance for Implementing the Privacy Provisions of the\nE-Government Act of 2002,\xe2\x80\x9d requires agencies to prepare privacy impact assessments\nwhen they use information technology to collect new information or when they develop\nor buy new systems to handle collections of personally identifiable information. 3\n\nAs discussed above, the RRB implemented a web-based component application in\nJanuary 2008 for use by their Medicare contractor. This component application allows\nemployees of the Medicare contractor to report specific transactions to the RRB for\nupdating various RRB information systems. These transactions include personally\nidentifiable information and, therefore, meet the criteria established in OMB M-03-22.\n\nRRB management did not ensure that the privacy impact assessment was prepared in\naccordance with OMB guidance. As a result, the RRB cannot provide assurance that\n\n3\n  Personally identifiable information is any information about an individual maintained by an agency which\ncan be used to distinguish or trace an individual\xe2\x80\x99s identity, such as their name, social security number,\ndate and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other personal\ninformation which is linked or linkable to an individual.\n\n\n                                                    6\n\x0cthe risks associated with collecting and handling privacy-related information are\naddressed in the new application.\n\nRecommendation\n\n   2. We recommend that the Office of Programs prepare a privacy impact\n      assessment for the newly implemented application.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation and will complete the\nassessment.\n\n\n\n\n                                            7\n\x0c                                                                            Appendix I\n\n\n\n\n                                                                                          FORM G\xc2\xb7llSf(l-9Z)\n                   UNITED STATES GOVERNMENT\n                                                                        RAILROAD RETIREMENT BOARD\n                   MEMORANDUM\n\n\n\n\nTO:\t          Letty Benjamin Jay\n              Assistant Inspector Ge~for A~dit\n\nFROM:\t        Catherine A.  Leyse~~ d X~\n              Director of Assessment and Training\n\nTHROUGH: Dorothy ISherwooffi,_UAf(\n         Director of Progr~'-fF:J\n\nSUBJECT:         Draft Report - Evaluation of the Railroad Retirement Board Medicare\n                 Contractor Information Security\n\n\n\nRecommendation    The Office of Programs should prepare an E-Authentication Risk Assessment\n1                 for the newly implemented application.\n\n\nOP response       We agree. We will complete the assessment by March 31,2009.\n\n\nRecommendation\xc2\xb7 The Offie~ofPrograms should prepare a privacy impact assessment for the\n1               newly implemented application.\n\n\nOP response       We concur. We will complete the assessment by March 31, 2009.\n\n\ncc: Director of Policy and Systems\n\n\n\n\n                                             8\n\n\x0c"